Skip to content

fix(p1-batch): dev-portal, profile counters, consent name, puzzle liveness gate, login consistency, a11y, card heights, verify CSP#188

Merged
ahmetabdullahgultekin merged 1 commit into
mainfrom
fix/2026-06-02-p1-batch
Jun 2, 2026
Merged

fix(p1-batch): dev-portal, profile counters, consent name, puzzle liveness gate, login consistency, a11y, card heights, verify CSP#188
ahmetabdullahgultekin merged 1 commit into
mainfrom
fix/2026-06-02-p1-batch

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

Pre-demo P1 batch from USER_FINDINGS_2026-06-02.md. No new i18n keys. tsc clean · full vitest 1037 passed / 0 errors · production build OK.

# Fix
#15 verify: BlazeFace modelUrlstorage.googleapis.com/learnjs-data/face_detector (tfhub.dev was CSP-blocked) + favicon <link>
#6b hide the dead Auth-Sessions nav entry (auth_sessions has no production writer; route kept)
#3 developer-portal: real SDK snippet (new FivucsasAuth().loginRedirect() + handleRedirectCallback() via verify.fivucsas.com/fivucsas-auth.js), guide link → docs.fivucsas.com, removed the permanently-disabled View-Secret button + its unused state/imports
#E1 Recent-Logins counts MFA_COMPLETE too (was USER_LOGIN-only → read 0 for MFA logins)
#E2 enrolled-methods denominator = METHOD_CONFIGS.length (was hardcoded 9)
#E3 consent list shows tenant name (+ excludes self-tenant, already shown by the toggle); hook pins consents to an array (malformed body no longer crashes the page)
#14 puzzles: passive-liveness gate hard-rejects only on an explicit not-live verdict — a null verdict soft-passes (active gesture proves liveness). Fixes 'blink completes then resets forever'
#1/#1a removed the password-only 'Change' button so all first factors are uniform (matches verify.fivucsas; PR #145 regressed it) + hidden autocomplete="username" input on identifier-first password forms (a11y / password managers)
#11 enrollment cards: fixed 2-line description height → uniform card sizes

Notes / follow-ups: (a) adding PASSKEY + APPROVE_LOGIN enrollment cards (the other half of #11) is a feature with unclear APPROVE_LOGIN enroll semantics — intentionally not in this PR. (b) Stale PR #90 overlaps FacePuzzle.tsx/verify-app/index.html — recommend closing it as superseded. (c) #6 tenant-switcher role-label fix is api PR #194; the optional post-switch toast is a follow-up.

🤖 Generated with Claude Code

…le liveness gate, login consistency, a11y, card heights, verify BlazeFace CSP

Pre-demo P1 fixes (USER_FINDINGS_2026-06-02):
- #15 verify: BlazeFace modelUrl → storage.googleapis mirror (tfhub.dev was CSP-blocked) + favicon link.
- #6b: hide the dead Auth-Sessions nav entry (auth_sessions has no production writer).
- #3 developer-portal: real SDK snippet (FivucsasAuth.loginRedirect/handleRedirectCallback via verify.fivucsas.com/fivucsas-auth.js), guide link → docs.fivucsas.com, removed dead disabled View-Secret button + its unused state/imports.
- #E1: Recent-Logins count now includes MFA_COMPLETE (was USER_LOGIN-only → read 0 for MFA logins).
- #E2: enrolled-methods denominator uses METHOD_CONFIGS.length (was hardcoded 9).
- #E3: biometric-consent list shows tenant NAME (model field) + excludes the self-tenant (already shown by the toggle). Hardened the hook to pin consents to an array (malformed body no longer crashes the page).
- #14 puzzles: relax the fail-closed passive-liveness gate to hard-reject only on an explicit not-live verdict (null verdict now soft-passes — the active gesture proves liveness). Fixes 'blink completes then resets forever'.
- #1: removed the password-only 'Change' button so ALL first factors are uniform (matches verify.fivucsas; PR #145 regressed it). #1a: added a hidden username input on the identifier-first password forms (LoginPage + PasswordStep) for a11y + password managers.
- #11: enrollment cards use a fixed 2-line description height → uniform card sizes.

tsc clean; full vitest 1037 passed + 0 errors; production build OK.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ahmetabdullahgultekin ahmetabdullahgultekin merged commit c7aacde into main Jun 2, 2026
4 checks passed
@ahmetabdullahgultekin ahmetabdullahgultekin deleted the fix/2026-06-02-p1-batch branch June 2, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant